Adam Bannister Jan 6, 2022 14:34 UTC
Updated: January 6, 2022 14:36 UTC
Internet and Technology Agency helps affected organizations secure accounts and strengthen defenses
An investigation by the New York State Office of the Attorney General (OAG) found that more than 1.1 million online customer accounts of 17 “high-profile” businesses were subject to credential stuffing attacks.
All affected organizations – including online retailers, restaurant chains and food delivery services – will take remedial measures upon notification, such as alerting affected individuals and resetting passwords, OAG said.
The companies’ own investigations later revealed that most of the attacks went undetected before.
Simple and effective attack
Credential stuffing attacks use specialized software to “populate” login pages at high speed with thousands or millions of username-password combinations collected from data breach dumps.
Also known as “password reuse” attacks, most automated techniques are relatively simple because two-thirds of internet users (PDF) Use the same login details across multiple online accounts, very effective.
read more Credential stuffing: How to protect your account from being compromised
After hijacking online accounts, attackers can steal victims’ identities and potentially bypass stricter authentication processes implemented by banks and other custodians of high-value assets.
Content Delivery Network Akamai Watch over 193 billion (PDF) Credential stuffing in 2020 alone.
months-long investigation
In a months-long investigation, OAG’s Internet and Technology Bureau monitored several online cybercriminal communities dedicated to credential stuffing.
The bureau collected the credentials of the attackers’ successful intrusion using account takeover techniques after searching through thousands of posts.
Then help affected organizations identify how existing safeguards were circumvented and provide recommendations for preventing recurrence.
“Almost all” of the 17 affected companies have since implemented or have plans to implement additional safeguards, the OAG said in a report. Press release Released yesterday (January 5).
suggestion
in a guide (PDF) Released to help New York State businesses protect their customers from credential stuffing attacks, OAG says the most effective protections are bot detection services, multi-factor authentication, and passwordless authentication.
The OAG also urged e-commerce platforms to make purchases based on re-authentication of credit card details, as in many cases the lack of such a mechanism has led to fraudulent purchases.
Get the latest cyber attack news and analysis
At the same time, an incident response plan should include processes for determining if and which accounts have been compromised, preventing attackers from continuing to access affected accounts, and notifying potentially affected customers.
“Currently, more than 15 billion stolen credentials are circulating on the Internet because users’ personal information is at risk,” said New York Attorney General Letitia James.
“Businesses have a responsibility to take appropriate action to protect their customers’ online accounts, and this guidance sets out the key safeguards companies can use to combat credential stuffing.”
you might also like Web browsing attack against hundreds of real estate websites deployed through cloud video hosting services
